Stored Cross-Site Scripting Vulnerability in Sydney Toolbox Plugin for WordPress
CVE-2024-1447

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Sydney Toolbox
Vendor: CVE Published:; 29 February 2024

What is CVE-2024-1447?

The Sydney Toolbox plugin for WordPress is exposed to Stored Cross-Site Scripting vulnerabilities due to inadequate sanitization of user inputs in the aThemes Slider button element. This issue affects all versions up to and including 1.25, enabling authenticated attackers with contributor-level permissions or higher to embed malicious web scripts. When users access pages that include these injected scripts, they may unknowingly execute harmful code, jeopardizing site integrity and user data.

Affected Version(s)

Sydney Toolbox * <= 1.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sydney-toolbox...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Feb 12, 2024

Credit

Craig Smith